OT:ICEFALL - A Decade of Insecure-by-Design Practices in OT
Forescout’s Vedere Labs has discovered a set of 56 vulnerabilities affecting devices from 10 operational technology (OT) vendors caused by insecure-by-design practices in OT. The affected products are known to be prevalent in industries such as oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining, and building automation. Many of these products are sold as “secure by design” or have been certified with OT security standards.
Device Manufacturers Affected
What We Found
The vulnerabilities are divided into four main categories: insecure engineering protocols, weak cryptography or broken authentication schemes, insecure firmware updates and remote code execution via native functionality.
- Among the vulnerabilities we found, 38% allow for compromise of credentials, 21% allow for firmware manipulation and 14% allow remote code execution
- 74% of affected product families have some form of security certification
- Risk management is complicated by the lack of CVEs
Why OT:ICEFALL Matters
With OT:ICEFALL, we wanted to disclose and provide a quantitative overview of OT insecure-by-design vulnerabilities rather than rely on the periodic bursts of CVEs for a single product or a small set of public, real-world incidents that are often brushed off as a particular vendor or asset owner being at fault. These issues range from persistent insecure-by-design practices in security-certified products to subpar attempts to move away from them. The goal is to illustrate how the opaque and proprietary nature of these systems, the suboptimal vulnerability management surrounding them and the often-false sense of security offered by certifications significantly complicate OT risk management efforts.Read The Blog
Why the Name OT:ICEFALL?
It has been 10 years since Project Basecamp, a research project conducted by Digital Bond that investigated how critical OT devices and protocols were, to use the term they coined, “insecure by design.” Icefall is the name of the second stop on the Everest route, after Base Camp. Given the rising number of OT vulnerability disclosures, we know we have a mountain to climb to secure these devices and protocols.Download The FAQ
Risk Mitigation Strategies
While device manufacturers address fundamental issues with insecure-by-design firmware and protocols, asset owners should intensify their cybersecurity efforts, including network monitoring and reducing traffic between IT and OT networks and the internet, limiting network connections to only specifically allowed engineering workstations and focusing on consequence reduction, where possible.
How Forescout Can Help
Implementing mitigation for OT:ICEFALL requires:
- Extensive visibility on devices and communications based on deep packet inspection
- Segmentation of OT assets
- Continuous network monitoring
- ICS-specific threat and vulnerability hunting capabilities
The Forescout Continuum Platform helps you achieve all of these steps without disrupting critical business processes or requiring operational downtime. Forescout’s eyeInspect product has native monitoring capabilities for the protocols used by the affected devices and built-in detection for exploitation of OT:ICEFALL vulnerabilities. Customers should update to the latest eyeInspect release to make full use of our industrial threat library updated monthly, and ICS-specific IOC and CVEs.
Commitment to the Cybersecurity Community
As part of the OT:ICEFALL disclosure, Forescout provided the cybersecurity community with a technical report in which we discuss the 56 vulnerabilities, their impact and their mitigation in detail, as well as the insecure-by-design debate, the effect of opacity on risk management, industry-specific attack scenarios and more.
- Emerson DeltaV Distributed Control System
- Emerson ControlWave
- Emerson OpenBSI
- Emerson ROC800, ROC800L and DL800
- Bently Nevada ADAPT 3701/4X Series and 60M100
- Honeywell Safety Manager
- Honeywell Saia Burgess PG5 PCD
- Honeywell ControlEdge
- Honeywell Experion LX
- Honeywell Trend Controls Inter-Controller Protocol
- JTEKT TOYOPUC
- Phoenix Contact Classic Line Controllers
- Phoenix Contact ProConOS and MULTIPROG
- Phoenix Contact Classic Line Industrial Controllers
- Siemens WinCC OA
- Yokogawa STARDOM
- Omron SYSMAC CS/CJ/CP Series and NJ/NX Series
- Motorola Solutions MOSCAD IP and ACE IP Gateways
- Motorola Solutions MDLC
- Motorola Solutions ACE1000